SEPERATION OF DUTIES
Many companies do not have an independent Security Operation Center (SOC). A common theme is they have the network engineers do additional task. Some companies can get away with this for a while. There comes a time when the risk become too great.
The primary focus of your Network Operation Center (NOC) engineers is meeting the service level agreement (SLA) requirements that your team is committed to internal customers. This usually focuses on performance and availability of hardware, servers, network components and software availability.
The SOC is completely dedicated to security. The SOC charter extends beyond uptime of hardware and software. The SOC duties include, among others:
- Management of external and internal threats
- Firewall management
- Virus / Malware protection
- Endpoint and Mobile device protection
- Intrusion prevention/detection
- Incident response and management
- Encryption protection of data in transit and at rest
- Movement and containment of sensitive data.
ONLY USE THE SKILLS YOU NEED
The NOC analyst has a network management background and engineering background. A SOC analyst is a security engineer proficient in those cybersecurity tools. Cybersecurity training and certifications do not come cheap. They require a good amount of time and dollars. Any ambitious network engineer is going to jump at the chance to get their CISSP and have someone pay for it. While it is good to have a more educated staff, there is an opportunity cost for them getting it. When they are training, dealing with the performance or availability issues must fall on someone else. For companies who build their own SOC operation, they will need to bring on additional skills to cover the SOC learning curve.
A Managed SOC will save you time because you will have people specifically focused on the SOC pieces. A big chunk of a SOC Analyst time is spent keeping up to date on everything that’s going on inside the cybersecurity world. Having people who are dedicating to know what’s going on for you can reduce that cost. Managed SOCs spread their research cost over several clients. Everyone reaps the benefits of that.
REDUCED SECURITY STAFF
A 24 / 7 / 365 SOC is no small affair. The cost of setting one up can vary from organization to organization. To properly set up a SOC, you are spending time and money on hardware, network devices, components, software and staff. It’s not unheard for companies spending close to $2 million on an initial buildout and tools of a SOC. That same initial cost will give you an ongoing cost of about $600K each year for your staff people and another $100K+ yearly in annual licensing fees. Out-tasking this program eliminates the need for the build out cost, tools, hardware, software licenses and staff. You could have your managed SOC up and running for as little as $5K in initial cost and as little as $2k a month, depending on the size of your organization.
24/7 MONITORING AT A FRACTION OF TYPICAL COST
A 24 hour full-time monitored SOC, on average requires a staff of 6 to 10 to run. This covers every minute with a minimum degree of expertise. This is a much different level of coverage than the on-call network engineer. Most companies do not have the funds for that type of 24-hour monitoring. Their risk may be high but spending a million dollars a year on cybersecurity protection makes even less sense.
A multi-billion-dollar energy company with 40,000 employees around the world can easily justify that amount of investment. It is a different story for the $250M regional company. The risk exposure and tolerance can be very close for these two companies.
Managed SOCs make a lot of sense in the latter. The company gets the level of monitoring, response and skill they need to properly reduce risk, but without the cost.
IMMEDIATE THREAT IDENTIFICATION
Many companies have an ad-hoc SOC. It includes additional duties thrown onto the networking team. A very common scenario is someone is on call for any type of alert that the system creates. Team members take turns monitoring the alerts at night. It is not uncommon the on-call may take an extended period of time before they start to review an alert Even then you may be limited to the one on-call person, and their knowledge base, for several hours. If it’s a real issue, like the wannacry ransomware, detecting the threat early would save quite a bit of money and time and problems for a company.
REALTIME THREAT ISOLATION
The average time a company takes to detect a cyber breach is 206 days. That number has gone up in recent years, not down.
206 days is a long time for bad actors to do damage. The list of who else can be let in and what they can do is long. Once a breach has been made, a high priority action is to open more doors.
If a company’s risk tolerance does not allow for “average” breach detection, then an investment needs to be made to have real-time threat detection and isolation. That investment is not a one-time event. The bad actors are constantly updating their techniques and tools. So do the good guys.
Whether your company is an SMB or a multi-billion-dollar global operation, cybersecurity and the risk tolerance towards it needs to be a topic. The bad actors do not discriminate. They often target the SMBs because they are easier to get into. Companies can do it themselves and continually add task and responsibilities onto an already spread-to-thin network engineer.
Managed SOCs make sense for a lot of companies. You get the benefits of the training, monitoring and risk reduction at a fraction of the cost of doing it yourself.